30 October 2016

One of the reasons that the United States has endured is because of transparency and the rule of law. There are several key systems in place for corporations, organizations and governments to decide on the rules, publish them, enforce them and provide people with mechanisms for establishing trust in the system. Operational Risk Management (ORM) as a discipline interfaces with many of them across the globe.

Policies that are not codified in laws are different across states and global jurisdictions. The rules that people can rely on and have come to trust for hundreds of years, remain the foundation for our modern civil societies. It is when the rules are ignored, under utilized or forgotten that disruption and chaos can erupt.

A key principle in modern democracies is that the rule of law is known. Statutes, regulations, court decisions, agency deliberations, and even the minutes of Federal Reserve meetings are published and made available. The operating premise is that, if the rules are accessible, civil order and social continuity will be strengthened and the conduct of those violating the rules is more easily prosecuted. The old saying that “Ignorance of the law is no excuse” rests on an important premise—the law must be published and accessible. The Internet has made much of the content of the rule of law even more accessible. Jeffrey Ritter

The country and the jurisdiction is a key component for knowing the law. It is in the day of the Internet even more accessible. Building and achieving trust in an organization, company enterprise or governance body has several tools at their disposal to assist them in the enforcement mechanism. One of those is an independent panel or group of outsiders who are convened to discover evidence.

A Board of Directors is comprised of both individuals inside the company and outside to help guide the organization. In a private company, this "Board of Directors" make decisions on the evidence of data and make informed decisions to govern the enterprise. Some of these decisions may involve what products and services to develop or what people should be selected or released from certain duties and responsibilities.

In the public sector, there is another mechanism that can be utilized, A Grand Jury. The Fifth Amendment to the Constitution of the United States reads, "No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury..."

A grand jury is a legal body that is empowered to conduct official proceedings to investigate potential criminal conduct and to determine whether criminal charges should be brought. A grand jury may compel the production of documents and may compel the sworn testimony of witnesses to appear before it. A grand jury is separate from the courts, which do not preside over its functioning.[1]
What is one example of a notable case where a Grand Jury was used in the process of the rule of law:

The second Watergate grand jury indicted seven lawyers in the White House, including former Attorney General John Mitchell and named President Nixon as a "secret, unindicted, co-conspirator." Despite evading impeachment, Nixon was still required to testify before a grand jury.

An environment of trust includes a vital component of transparent and accessible rules. When there is a reason to discover the truth, we look to the governance factors of those rules. Then we look at the clear evidence, the data to determine the correct course of action in our inquiry. A Board of Directors or a Grand Jury provides guidance on whether a particular case should be referred to a legal process in a particular jurisdiction. The rules are clear. Trust is preserved.

ORM is a continual process that when utilized effectively will provide the four benefits described. Why any governance organization or body that it interested in transparency and building trust would ignore the process is questionable.

ORM includes legal risk. This is why the General Counsel of private sector companies include the GC in the team that helps to effectively govern the organization. They understand the rule of law and the requirement for transparency and factors needed to achieve integrity and trust.

Now think about your organization, your jurisdiction and the process you are utilizing to ensure more effective TrustDecisions. What can you do different? What will you do to make it better? How will you provide the best use of the rules to effectively ensure the integrity and governance of the system?

Here is just one example:

Over 60 people in the U.S. and India face conspiracy and wire fraud charges in the largest crackdown against a telephone scam ever, officials said.

Callers from centers in India posed as federal agents to threaten victims with arrest, imprisonment, fines or deportation if they didn’t pay up, according to an 81-page indictment unsealed Thursday.

At least 15,000 Americans lost more than $300 million collectively during the four-year scam, according to the feds. A Texas grand jury indicted 24 people from nine U.S. states, 32 people from India and five call centers in Ahmedabad, India, earlier this month.

23 October 2016

Intelligence-led processes applied within the corporate global
enterprise, continues its relevance for reasons being published in the
popular press. "Operational Risk Management (ORM) Specialists" utilize these processes,
to mitigate a growing spectrum of domestic and transnational threats:

Developing
relevant intelligence to run daily business decisions in your
institution may seem like an important task day to day. The question
is, how embedded is the "Corporate Intelligence Unit" in developing the
relevant intelligence your decision makers need every few minutes or
hours to steer the organization away from significant losses? Is your
internal web-enabled "Corporate Daily News" or "ABC Company Post" being updated in
real-time by the employees in each department or business unit?

Do
you have an organized, synchronized media and communications function
working within your Corporate Intelligence Unit (CIU), to continuously
post the correct content and manage the RSS feeds from each global
business unit? Why not?

The "Information Operations" (IO) of your company are
the lifeblood of how your employees will make relevant decisions on
where to steer clear of significant risk. Based upon what other business
units are doing or what is going on in the external environment of your
state, sector or geography, consider these scenarios:

If
the internal RSS Feed for the IT department reported that there was a
Distributed Denial of Service (DDos) Attack going on at the moment, how might
that impact the decision by the marketing department to delay the
posting of the new product release information to the Twitter site? The
synchronization of intelligence-led processes is lead by the head of the
Corporate Intelligence Unit. The CIU is staffed with people who have a
tremendous understanding of the corporate enterprise architecture and
have the skills and talents to operate as effective operational risk
management professionals.

If the
internal RSS Feed for the Facilities Security department reported the
presence of a "White Truck Van" with blacked-out windows trolling the
perimeter of the corporate parking lot, how might this change the
decision for the CEO to leave that minute for her scheduled trip to the
airport? Skilled CIU staff within would quickly notify the CEO via the
"Corporate 9-1-1 Alert" App embedded in every employees iPhone. Under
cover corporate security personnel would then be immediately approaching
the vehicle for a recon drive by.

If
the internal RSS Feed reported the recent change in industry
legislation that would change the way the Federal Trade Commission
defined the elements regarding consumer privacy, how might this affect
the latest strategy on how the institution was going to encrypt it's
data in servers and on laptops? The CIU staff would advise the Chief
Information Officer and other Information Security Risk staff to step up
the roll-out for the latest version of PGP for the enterprise.

And
the list goes on. The modern day intelligence-led Corporate
Intelligence Unit (CIU), in concert with other highly specialized
Operational Risk Management professionals in the enterprise can keep you
safe, secure and keenly aware of new threats to your corporate assets.
The degree to which you provide the right resources, funding and
continuous testing/exercising of your capabilities will determine your
likelihood for loss outcomes.

If your organization has been impacted by
loss outcomes that continuously put your employees, stakeholders or
assets at risk, then look hard and deep at your "Operational Risk"
quotient, to determine if you are the best you can be...

15 October 2016

The culture of your business or organization will continue to be the root cause of many of your most substantial successes. Simultaneously, it will be one of the most significant factors in your potential downfall as a company. Operational Risk Management (ORM) professionals at Wells Fargo and Booz Allen Hamilton, are still dissecting all of the evidence of their respective events.

"Managing Risk to Ensure Intelligence Advantage" is a theme that you may not have heard before, unless you are in the Intelligence Community. There is one key principle that is worth emphasizing again at this point in time:

Ensure all work is subject to scrutiny. Require conflict of interest-free peer review for all programs, projects and strategies.

This principle, that shall become pervasive across the culture of the organization, is imperative for several reasons. The first is, that a culture really is a manifestation of the people and the behaviors that are normal in the organization. The second is, that the culture shall strive to be a true mosaic of the best thinking and ideas from all the key stakeholders in the enterprise. Not just one or two people from the top or a singular department.

Putting scrutiny to your work by others to review, is the beginning of new found discovery and transparency insight. It is the foundation for building a more trusted operating environment, with as little bias as you can possibly have in a culture. When an organization spins of out of control and becomes the latest case study on an Operational Risk failure event, you must learn from it. Wells Fargo is just one recent example:

Some consumers may be shying away from Wells Fargo after learning
that employees used customers’ information to open sham accounts,
according to new figures reported by the bank.

The nation’s
largest retail bank beat expectations when it reported more than $5.6
billion in profit for the past three months. But the bank’s earnings
report also hinted that the Wells Fargo may have some trouble convincing
people to open new accounts in the wake of the scandal.

The
number of checking accounts the bank opened in September fell by 25
percent from the same time last year, the company reported Friday.
Credit card applications filed during the month dropped by 20 percent
from a year ago. And the number of visits customers had with branch
bankers also fell by 10 percent from last year. Washington Post

Whether you are in the international banking and finance business, the defense industrial base or any other set of critical infrastructure institutions that public citizens are counting on, there is no room for a runaway culture. Consider this definition:

You see, the integrity and longevity of your "Trust Decisions" begins with the sharing of relevant information. Sharing that information with your most trusted and significant partners is the start. The beginning of a dialogue with people in your culture who continuously review the information, the new strategy. This begins the ongoing process. It is now time for others to look at your idea, your strategy, your policy rule, from their perspective. From their knowledge-base. To scrutinize it. To analyze it. To make sense of it for them and those affected by it.

The truth is, you don't have all the understanding and you don't have all of the ecosystem knowledge. You don't have the entire data set, to know if the specific work you have been doing is sound and correct. That the new work you have designed, is culturally and morally acceptable. That the outcomes of your project will produce the results imagined. That the strategy and the work, is the right thing to do at this point in time.

So how do you change? It begins with your next management meeting and beyond. If you are the leader, the manager, the director, the Vice-President or the CxO start now. Ask for scrutiny on your proposed strategy. Gain new insight and understanding. Ask for feedback and changes to make it better. Your power in the culture and its impact is your greatest weakness. Your people will follow you, unless you challenge them to think differently...

09 October 2016

After we checked in, our elevator ascended to the 4th floor of the Washington Post on October 6th, where everyone on board was anxious to get their seat inside the "Live Center." The 6th Annual Cybersecurity Summit was at 9:00AM just on the tails of international news from Yahoo, Julian Assange and the NSA.

The TV cameras were lined up in the rear and the chairs were set on stage, for 30 minute talks with key thought leaders across the United States. One could not miss the ceiling-based sensors capturing the faces of each person attending. The moderators from the Washington Post, were all prepared with their specific area of questions to address such topics as:

Protecting Personal Data

Political Hacks and Leaks

Cyberspace: A 21st Century Warzone

A Focus on Critical Infrastructure

The White House and Cybersecurity

Flashback 6 years to Harrison Ford's movie Firewall,
and the viewer is entertained with a combination of Seattle bank heist,
kidnapping and good old fashioned Hollywood chase and fight scenes. There is even a degree of deception and conspiracy mixed in to spice up
the story line. The plot is full of social engineering lessons, that even those with little knowledge of high technology can learn a thing or two.

While
the actual high technology bank heist turns out to be nothing more than
a simple stealing of account numbers and a transfer of $10,000 from
10,000 high net worth customers, the movie title is a ploy. In only one
short sequence is there any focus on the fact that the bank is being
attacked on a daily basis from other locations on the other side of the
globe. Those attackers using new and increasingly sophisticated
strategies, are consistently giving financial institutions new challenges
to secure their real assets, binary code.

In
early 2005, a criminal gang with advanced hacking skills had tried to
steal GBP 220 million (USD 421 million) from the London offices of the
Japanese banking group Sumitomo and transfer the funds to 10 bank
accounts around the world. Intelligence on the attempted theft via key
logging software installed on banks' computers had been circulating in
security circles at that point in time. Soon thereafter, warnings were issued to
financial institutions by the police to be on the alert for criminals
using Trojan Horse technology that can record every key stroke made on a
computer.

In this decade old case and
even in the movie, the "insider" is a 99.9% chance. A person has been
bribed, threatened or spoofed in order for the actual fraud or heist to
occur. The people who work inside the institution are far more likely to
be the real source of your catastrophic digital incident, rather than the skilled hacker using
key logging software. More and more, the real way to mitigate these
potential risks is through behavior profiles, continuous monitoring and deep learning analysis.

The
human element, which relates to situational awareness, can't be ignored any longer. And this can only be changed through more effective education, training, and testing
of employees. An organization that procures technology worth millions of dollars is
naive, if you don't invest in educating your employees to make the
investment worthwhile. Sometimes the human element stands alone. Just ask Mr. Robot.

Awareness, detection and determination of threat, deployment, taking
action, and alertness are key ingredients for security.

"Predictive Intelligence
comes into play as organizations recognize that detecting threats,
starts long before the firewall is compromised, falsified accounts
established and bribes taken."

The Israeli Airline
El Al has known for a long time, the power of humans as a force in
security. An empowered, trained and aware group of people will
contribute to the layered framework, as a force multiplier that is
unequaled by any other technology investment.

The cyber topics and IP theft news this week should be a wake-up call for those institutions who still have not given
their employees more of the skills and their Operational Risk Management (ORM) professionals the predictive tools for detecting human threats, long before any real losses occur.

The truth is, that "Insider Threat" data is being collected by the minute and the hour. The public and private sectors have the highest concern about malicious insider activities to this day. What are some examples of the behavior? Some of these are observable by other humans and others only by machines and software. Do you currently measure the number of times per day a user on your network copies files from their system to a removable drive or Dropbox account?

Executive Order 13587 was just the beginning to address the single point failures in the Defense Industrial Base supply chains.

Think inside the true threat. Ask questions about relationships, personality, job satisfaction, organizational structure, punctuality and who is leaving the organization. Who has just joined the company? The interdependencies are vast and complex and both data and metadata need to be collected for effective Activity-Based Intelligence (ABI).

Anomaly Detection at Multiple Scales (ADAM) and the research on better understanding the "Forest for the Trees" scenarios is our destiny for the true threat. We will continue our security vs. privacy policy debates, yet at the end of the day, maybe the answers are as simple as Rubik's Cube.

If you start thinking
of the Super Bowl championship as your motivation, you are going to miss
the trees for the forest or the forest for the trees. I never could
understand that one.
Marv Levy
Read more at: https://www.brainyquote.com/search_results.html?q=forest+for+the+trees

02 October 2016

Since the Boston Marathon terrorist attack
on Patriots Day, April 15th, 2013 the spectrum of Operational Risks
that have descended upon the region and the country are vast. People,
processes, systems and external events are the state-of-play. If you
own a backpack and you are taking it on public mass transit or to a
public event soon, remember this. The new normal has finally arrived in
the United States of America, again.

What does the face of terrorism look like? London understands. Oslo now understands. FOB Chapman understands.
New York City. San Bernardino. Orlando. Dallas. Even as we begin
the analysis of this latest U.S. based event in context with all the
similarities of past episodes of terror, we are left with one absolute
known. Operational Risk Management is essential, no matter who you
trust and how much you trust them. The public now understands this once
again and regardless of how much we may want to continue to enjoy our
civil liberties and privacy, you never know when or how this will happen
again.

Why is it that Israel and other nations that
are so far more advanced in their Operational Risk strategies, still
witness numerous incidents of terror? Because it is impossible to
eliminate. It is only possible to mitigate the risks and likelihood of
occurrence. Public safety and security incidents of this magnitude are
the visible metric we all judge to make sense of our progress. Our only
hope is better intelligence. Lisa Ruth explained this over four years ago:

Intelligence is the best, the only, way to defeat the terrorists. To tackle the terrorist threat, we need all the weapons in our intelligence arsenal. That starts with intelligence requirements from the entire community that are well-focused and well-targeted. It means funding and a mandate to succeed. It means strong collection. We need human intelligence, which comes from case officers recruiting sources on the ground to give us information. We need electronic information, including telephone intercepts and static listening devices. We need overhead photography. We also need open source information such as web sites, facebook pages and other publicly available information. We need analysis, putting the pieces together. And we need decision makers who trust the intelligence services and listen to what they are saying. Washington Times, 9/14/2012
So
in the dark shadows and behind closed doors, the whispers continue to
debate how Boston Patriots Day 2013 could have happened? How On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing. Why didn't the
intelligence we had already, provide the warning in time, in the midst
of a glaring yellow or red flag? As the analysis continues and the best and
the brightest determine the lessons learned, we can only pray, that
our process changes take place and citizens behaviors are modified. Erroll Southers explains why we have more work ahead of us:

At the same time, the radicalization process is not
brief. Extremism smolders like a hot coal, an idea that grows into a
violent fire fueled by anger, conflicts of identity, feelings of
humiliation and marginalization.. It is important for the public to
understand that removing any one of these elements cannot fully disrupt
radicalization. All of these and other root causes need to be addressed
in the effort to not just apprehend terrorists, but dissuade the
radicalization that leads to terrorism.

There
will be numerous accounts of heroism, people who saw or reported
details that could have helped stop any of these Homegrown Violent Extremist (HVE) events. What matters
most from this point forward is that "John Q. Citizen" realizes the
importance of being ever vigilant. Having a continuous sense of
personal vigilance is our only hope. Whether in the crowd at the next
marathon or in a lonely office cube, off Route 123 does not matter. The
goal is the same and we must not lose sight of our mutual
responsibilities and unified purpose.

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke